I was performing computer maintenance and usually find manufacturer sites safe to download from. I was trying to locate any files for my newly purchased DP832 and behold the Worm.Palevo was embedded in a zip file from Rigols download site. The Worm.Palevo uses applications I don't have on my computer. Additionally, it uses vulnerabilities of pre-Win7 OS to propagate. I am running Win7 which may have somewhat limited its reach.

Additionally, I downloaded the file once more to verify and it is there. BEWARE!!

Exactly, there are tons of the posters on the file sharing/downloading sites, especially torrent trackers, who yell about the virus. Yet they almost always fail to double check if the file is really infected or their antivirus is just acting up.

I have never tried Ultrapower, but Ultrasensor for the DM3058 is guaranteed to brick your meter if you aren't careful. Three easy steps, but nobodies interested, especially Rigol.

Unfortunately Rigol treat me like some kind of annoying leper rather than fix such simple things in their firmware. I reported how the DM3058 is utterly useless in AGILENT SCPI mode over a year ago and absolutely nothing has been done. It is the most obvious bug imaginable, could be fixed in 10 minutes, but nope...

Yes, I wouldn't be in the least surprised if there really is a virus in Ultrapower rather than just a false positive. Rigols PC software is utter shit. FACT

Agreed it doesn't make sense but that is Rigols site for downloads. As for the software being 'sensitive' MalwareBytes works effectively. Very rare false positives. However I did run it across another anit-malware program and it clears without any issue. But that doesn't always mean its correct as the anit-malware suites are always ahead and behind as they try to stay at the top.

Did you by chance try it with your anit-malware to determine if it was flagged?

Not even sure how to respond.... I am trying to make people aware of a potential threat.

It smells of false positive.

It's possible the file is really infected, of course.. but it's an old, old worm, and nothing else is detecting it. A couple of very, very generic heuristic hits, which pretty much pins it as a false positive.

I took a brief glance at the file and I can definitely understand why some AV is thinking it is suspicious -- embedded in the middle of the installer .exe is what appears to be another .exe which has been obfuscated by XOR'ing each byte with the value 7 (suspicious point 1)[1]; I tried extracting and unobfuscating it but it seems not the whole file is actually obfuscated, although from what I could see of the header it's been packed with UPX (suspicious point 2). I didn't go deep enough to figure out where the XOR'ing obfuscation actually ends, so I couldn't unpack that one and explore further, but this would be enough for me to think it's trying to hide something.

[1] I observed the interesting phrase "Sont'wuh`ufj'dfiihs'eb'uri'ni'CHT'jhcb", which is actually the usual "This program cannot be run in DOS mode" message near the beginning of .exe files but with each byte XOR'd with 7. Googling this message brings up a discussion in Czech that mentions AV detection, so perhaps that's what is triggering it.

(And now everyone with web-AV that triggers on this phrase will get a funny message when they visit this thread...)

Did you by chance try it with your anit-malware to determine if it was flagged?

Did you even bother to read with which antiviruses/antimalware that file was checked on Virustotal? Malwarebytes is on of them. Rather stupid to install many antimalware programs on the computer wile you can just upload the file and check with 50+ of them at once.

I took a brief glance at the file and I can definitely understand why some AV is thinking it is suspicious -- embedded in the middle of the installer .exe is what appears to be another .exe which has been obfuscated by XOR'ing each byte with the value 7 (suspicious point 1)[1]; I tried extracting and unobfuscating it but it seems not the whole file is actually obfuscated, although from what I could see of the header it's been packed with UPX (suspicious point 2). I didn't go deep enough to figure out where the XOR'ing obfuscation actually ends, so I couldn't unpack that one and explore further, but this would be enough for me to think it's trying to hide something.

Like you stated, it really looks like it's been packed, but I can't state it's UPX or something else. Many EXE packers do this, and although it isn't harmful at all, it does triggers some anti-virus (false positive).

They work by compressing and/or obfuscating the original EXE and then injecting an on-the-fly decompressor on the resulting EXE. When the resulting EXE is run, the runtime decompressor loads first and then takes care of decompressing and loading the original code. As you can see, injecting lots of executable code in memory at runtime looks a lot like virus activity - and the code to do that is the same as many virii, but in this case it is legitimate and harmless.

In the past days of dial-up internet, when bandwidth was limited, HDDs where very expensive, and floppy disks were popular, I used UPX and ASPack a lot to distribute software I wrote. The intention was just to make the EXE smaller. Nowadays it's also used to protect IP and prevent debugging, cracking and reverse engineering. I am sure that is the case. I'd rather give Rigol the benefit of the doubt and ask them directly if this is a false positive triggered by a runtime packer. If my suspicion if confirmed, it'd smart of them to have a note on their site that some of their files do trigger some anti-virus because of runtime packers that are used to protect their IP.

« Last Edit: January 23, 2016, 05:07:18 AM by AlxDroidDev »

Logged

"The nice thing about standards is that you have so many to choose from." (Andrew S. Tanenbaum)

Exactly, there are tons of the posters on the file sharing/downloading sites, especially torrent trackers, who yell about the virus. Yet they almost always fail to double check if the file is really infected or their antivirus is just acting up.

Yelling wasn't what I was after but now observing the title a bit more it looks that way.

I took a brief glance at the file and I can definitely understand why some AV is thinking it is suspicious -- embedded in the middle of the installer .exe is what appears to be another .exe which has been obfuscated by XOR'ing each byte with the value 7 (suspicious point 1)[1]; I tried extracting and unobfuscating it but it seems not the whole file is actually obfuscated, although from what I could see of the header it's been packed with UPX (suspicious point 2). I didn't go deep enough to figure out where the XOR'ing obfuscation actually ends, so I couldn't unpack that one and explore further, but this would be enough for me to think it's trying to hide something.

[1] I observed the interesting phrase "Sont'wuh`ufj'dfiihs'eb'uri'ni'CHT'jhcb", which is actually the usual "This program cannot be run in DOS mode" message near the beginning of .exe files but with each byte XOR'd with 7. Googling this message brings up a discussion in Czech that mentions AV detection, so perhaps that's what is triggering it.

(And now everyone with web-AV that triggers on this phrase will get a funny message when they visit this thread...)

Did you by chance try it with your anit-malware to determine if it was flagged?

Did you even bother to read with which antiviruses/antimalware that file was checked on Virustotal? Malwarebytes is on of them. Rather stupid to install many antimalware programs on the computer wile you can just upload the file and check with 50+ of them at once.

Thanks to the contributors here and reviewing the issue. I reached out to Rigol and explained the scenario and have their IT group look into the file. They were appreciative and said they run their site against TWO anti-malware programs to review their software and they will try to identify the issue.

Modern antivirus software will report nearly any packed executable as virus. Which is funny, considering I've never seen real computer virus packed with UPX (or so) since 2001 or so. Modern malicious software isn't packed, doesn't infect files, just installs toolbars, modifies registry and adds perfectly legitimate botnet in your autorun. But most thing modern antiviruses do is mark your program made in Turbo Pascal that calculate prime numbers as malicious (really, Avast, come on)

Do you understand what virustotal is? Your file is tested with 55 antivirus/antimalware programs. So installing the same antivirus/antimalware on your computer unlikely to detect something malicious what virustotal doesn't.Yes it's handy for criminals too because they don't need:

Quote

to install two anti-malware

From your link:

Quote

upload a file and dozens of antivirus tools will check to see if it's malicious.

Like you stated, it really looks like it's been packed, but I can't state it's UPX or something else. Many EXE packers do this, and although it isn't harmful at all, it does triggers some anti-virus (false positive).

I unobfuscated enough to see the header and the section names "UPX0", as well as the entry point (which doesn't seem to be obfuscated, so I had to XOR with 7 again) matches with that of UPX.

In the past days of dial-up internet, when bandwidth was limited, HDDs where very expensive, and floppy disks were popular, I used UPX and ASPack a lot to distribute software I wrote. The intention was just to make the EXE smaller. Nowadays it's also used to protect IP and prevent debugging, cracking and reverse engineering. I am sure that is the case. I'd rather give Rigol the benefit of the doubt and ask them directly if this is a false positive triggered by a runtime packer. If my suspicion if confirmed, it'd smart of them to have a note on their site that some of their files do trigger some anti-virus because of runtime packers that are used to protect their IP.

I don't know if Rigol themselves would say anything since it could be their software has been infected and they don't know... UPX by itself isn't suspicious and easy to unpack, it's that XOR-7 obfuscation that worries me (and probably the AV.) If I really had to use this I'd get a VM and try to unpack it there first.